Global Sales Contact List

Contact   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

RSA Laboratories What is Cipher Block Chaining Mode?

In CBC mode (see Figure 2.3), each plaintext block is XORed with the previous ciphertext block and then encrypted. An initialization vector c0 is used as a "seed" for the process.

Figure 2.2: Electronic Code Book mode (click for a larger image)

CBC mode is as secure as the underlying block cipher against standard attacks. In addition, any patterns in the plaintext are concealed by the XORing of the previous ciphertext block with the plaintext block. Note also that the plaintext cannot be directly manipulated except by removal of blocks from the beginning or the end of the ciphertext. The initialization vector should be different for any two messages encrypted with the same key and is preferably randomly chosen. It does not have to be encrypted and it can be transmitted with (or considered as the first part of) the ciphertext. However, consider the vulnerability described in Question

The speed of encryption is identical to that of the block cipher, but the encryption process cannot be easily parallelized, although the decryption process can be.

PCBC (Propagating Cipher Block Chaining) mode is a variation on the CBC mode of operation and is designed to extend or propagate a single bit error in the ciphertext. This allows errors in transmission to be captured and the resultant plaintext to be rejected. The method of encryption is given by

ci = Ek(ci-1 Åmi-1 Åmi)

and decryption is achieved by computing

mi = ci-1 Åmi-1 ÅDk(ci).


There is a flaw in PCBC [Koh90], which may serve as an instructive example on cryptanalysis (see Section 2.4) of block ciphers. If two ciphertext blocks ci-2 and ci-1 are swapped, then the result of the ith step in the decryption still yields the correct plaintext block. More precisely, by (2.1) we have

mi = Dk(ci) Å(ci-1 ÅDk(ci-1)) Å(ci-2ÅDk(ci-2)) Åci-3 Åmi-3.

As a consequence, swapping two consecutive ciphertext blocks (or, more general, scrambling k consecutive ciphertext blocks) does not affect anything but the decryption of the corresponding plaintext blocks. Though the practical consequences of this flaw are not obvious, PCBC was replaced by CBC mode in Kerberos version 5. In fact, the mode has not been formally published as a federal or national standard.

Top of the page